Encrypted e-mail message retrieval system

ABSTRACT

An electronic message retrieval system in which the electronic message, and any corresponding attachments, can be encrypted by the sender of the message and routed to the intended recipient, even if the intended recipient is in a mobile location or it is otherwise inconvenient for the recipient to receive the electronic message in the form in which it was sent. The system provides an alarm or indication to the intended recipient, wherever he or she is, that a message has been delivered, an indication of the subject of the message and who sent the message, and whether the message is encrypted. The intended recipient then has the choice of deferring retrieval of the message until a later time when he or she can log onto a secure system and decrypt the message conventionally, or providing the system with a password or “key” which will permit the system to decrypt the message, convert it into a format retrievable by the mobile recipient, i.e., audible format for phone delivery, facsimile data for fax delivery, etc., and deliver the message to the mobile recipient.

FIELD OF THE INVENTION

The present invention relates generally to a communication system thatallows for the retrieval of encrypted messages through different media.In particular, in accordance with one embodiment of the invention,encrypted attachments to a an e-mail message, transmitted over acommunication network using one medium, such as a computer transmittingover a wide area network accessing the Internet, are recognized anddecrypted by the intended e-mail message recipient using a second,different, network medium, such as a cellular phone, pager, personaldigital assistant (PDA), etc. By utilizing either symmetric orasymmetric encryption technology, the integrity of the encrypted e-mailmessage, and its attachment, is maintained.

BACKGROUND OF THE INVENTION

The technology of transforming a received e-mail message to a differentformat, i.e., e-mail-to-voice or e-mail-to-facsimile data, etc., is wellknown in the art. One advantage gained by employing these techniques isthat format transformation of the e-mail message oftentimes permits theintended recipient of the message to receive the message more quicklythan if such transformations were unavailable. For example, an e-mailuser may physically be at a location which is inconvenient for receivinge-mail messages, such as in his or her car or in a meeting. In order toguarantee immediate receipt of e-mail messages, the user may have hise-mail messages forwarded from his computer, which is physicallyconnected to the e-mail network, to his cellular phone, pager, PDA, faxmachine or any other device that will make retrieval of the e-mailmessage more convenient.

Accordingly, when an e-mail message is received by the recipient'scomputer, the message is converted into an appropriate format andtransferred to the recipient's cellular phone, etc. Upon receipt of themessage, the phone then indicates receipt of the message, i.e., byactivating an audible and/or visual alarm recognized by the recipient.The recipient can then identify the respective sender of the messageand/or subject and determine whether or not to retrieve the messageimmediately, defer receipt until a later time, or delete the messagewithout opening it.

One issue that concerns virtually all e-mail users is the security ofthe content of the messages. Because e-mail messages are typically sentover the Internet, from one network to another, they are subject tobeing passed through various devices between the time the message leavesthe sender's machine and the time the message reaches the recipient'smachine. Each one of the various devices the e-mail message, and anycorresponding attachments, passes through along its journey is capableof copying and/or altering the message content, thus, exposing themessage content to malicious interceptions. Also, in some countries,government agencies routinely monitor e-mail message content.Accordingly, it has become a favorable practice among e-mail users toencrypt private or otherwise sensitive material that either party,sender or recipient, desires to remain confidential.

Encryption, or cryptography, is the technique of converting plaininformation into unintelligible information and re-converting theunintelligible information back into an intelligible, preferably theoriginal, form. Cryptography has existed for centuries but it hasrecently been given significantly more attention as a result of theadvent of e-commerce, privacy concerns and the Internet. Fast, cheap,high-powered computers and communications systems are enabling thedevelopment of new cryptographic systems and methodologies and, alongwith them, the ability to crack/decipher the codes.

One conventional encryption technique is referred to as the “sharedsecret” technique. The shared secret technique consists of a singlemathematical “key” used for both encryption and decryption of data. Thistype of cryptographic system is sometimes also referred to as“symmetric” cryptography because the same “key” both encrypts anddecrypts the message. Both the sender and the recipient of a message,such as an e-mail message, must possess the same mathematical key andthe parties are responsible for physically maintaining the secrecy andsecurity of the key to ensure the privacy and security of theircommunication.

In shared secret, or symmetrical, encryption, the sender of a messageencrypts the message using any of a virtually limitless number ofencryption keys. Encryption keys are often in the form of a mathematicalalgorithm. Upon receipt of the message on the recipient's computer,after being passed through various intermediary machines as an encryptedmessage, the recipient decrypts the message by using the same key, inreverse, as the sender used to encrypt the message. Obviously, in orderfor this system to work, the sender and the recipient must each knowwhich key was used to send the message. Accordingly, the partiestypically agree on an algorithm through various “offline” means, such asa private telephone conversation, a separate e-mail message, etc.

Another encryption technique, one that improves upon the “shared secret”method, is known as “Public Key” cryptography. Public Key cryptographyemploys a two-key system wherein the two keys are asymmetric, orcompletely different. However, even though the two keys are different,they comprise a set and work together to encode and decode information.One key is kept private, or secret, by one of the parties and the otherkey is made readily available to the public. However, the second key istypically retained in a trustworthy repository. When a public key isused to encrypt a message, only the private key from the pair is capableof decrypting the message. Thus, in public key cryptography, anyone cansend secret messages to the holder of a private key because the matchingpublic key is readily available, yet no one other than the intendedrecipient, who possesses the matching private key, can decrypt themessage. Therefore, regardless of the number of people that come intopossession of the message, the integrity of the message content ismaintained.

Public Key cryptography has lead to several other useful innovations,such as the digital signature. A digital signature is much like ahand-written signature in that it provides proof that the originator ofthe message is actually who the person claims to be (a process known as“Authentication”). A sender “signs” messages by passing them through amathematical algorithm, known as a “hash” function, and produces asummary, or “hash”, of the subject message. Mathematically, thissummary, or hash, is unique for every message, similar to the way afingerprint is unique for every person. The sender then encrypts thehash with his private key and attaches the code to the end of themessage. This attached code is the digital signature. The intendedrecipient, upon receipt of the encrypted message and sender signature,verifies the authenticity of the message and proves that it has not beenaltered in transit by decrypting the digital signature with the sender'spublic key and passing the message through the same hash function, inreverse. If the two hash codes are the same, it can be confirmed thatthe message was indeed sent from the holder of the matching private key(Non-repudiation) and that it was not altered (Integrity).

A Public Key Infrastructure (PKI) refers to the entire Public Keysystem. A PKI comprises the keys as well as one or more trusted systemsknown as Certification Authorities (CA). These CAs are organized in atree-like hierarchical structure. Each user's Public Key andidentification are placed in a digital certificate. The CA digitallysigns each certificate and makes the certificates freely available bypublishing them in publicly accessible directories. Any client, or user,of the PKI may access any other users' Public Key and verify theauthenticity by using the CA's Public Key to verify the CA's signatureon the certificate. The CA at the top of the hierarchy signscertificates of subordinate CAs and these CAs in turn sign certificatesof CAs below themselves and so forth. This system establishes a chain oftrust in a distributed CA system., including cryptographic keys and acertificate management system. The PKI enables secure transactions andprivate exchange of information between parties who may either be wellknown to each other or complete strangers. PKI provides privacy,integrity, authentication, and non-repudiation for applications andelectronic commerce transactions.

There are a variety of free and commercial packages available forperforming either type of encryption, i.e., symmetrical and/orasymmetrical. There are also companies that offer software packages forencryption. Network Associates, Inc., for example, offers a freeware anda commercial package that allow an e-mail message attachment to beencrypted as a self decrypting archive (SDA). It is assumed that thereare other similar packages available and that it is possible for askilled artisan to replicate or enhance these offerings.

However, most current handsets, e.g., wireless phones, pagers, PDAs,etc., do not have the computational power to decrypt e-mail messagesthat are coded using these methods. A key can be considered secure if itcan not be cracked in a reasonable amount of time by brute force (i.e.,trying all combinations sequentially), even if cracking the key requiresusing many computers. The security of a key, i.e., its ability towithstand attempts to decipher it, is in relation to its length. Inother words, the longer the actual mathematical code used to create thekey, the more difficult it is to decode/decipher the key and, thus, themore secure the key is. However, decoding long keys makes the job of thehandset more difficult. In the handset, low available computationalpower makes it impractical to decrypt anything but short simple and,therefore, insecure codes.

Currently, when an encrypted e-mail message is received by a user, thereis no reasonable method, due to the limitations explained above, bywhich the recipient can decrypt the e-mail message using only the mobilehandset. The e-mail message could be decrypted by the e-mail server, butit is accepted in the industry that a reasonable person receiving anencrypted e-mail message would not leave the decryption password storedon an operator's server where it could be legally, or illegally,intercepted. It is also reasonable to assume that the sender wouldprefer that confidentiality not be compromised in this way.

Accordingly, in accordance with conventional methods, a recipient of anencrypted e-mail message, in order to maintain the integrity of themessage content, is required to download the message and decrypt itlocally on his own computer, which is a secure machine where, typically,the keys are stored. The recipient, even if notified of the receipt ofan e-mail message on his phone, PDA, pager, etc., will not be able toview the message, or listen to it, immediately without compromising theintegrity of the message, i.e., without providing the decryption “key”on the open, unsecure system/server as explained above. In most cases,providing the key on an open system in this manner also compromisesfuture messages, since those future messages typically utilize the samepassword. This becomes, as a minimum, an inconvenience to the recipient,and possibly to the sender, when the recipient is mobile and notphysically located where secure message retrieval is possible.

SUMMARY OF THE INVENTION

In view of the aforementioned problems with the conventional approach toe-mail message encryption, decryption and delivery, it is an object ofthe present invention to provide a communication system in whichencrypted e-mail messages and/or their corresponding attachments can bedecrypted and converted to another format to be delivered to some otherdevice other than the recipient's main, secure, machine (e.g., his orher PC).

A further object of the present invention is to perform theabove-mentioned message conversion (hereinafter referred to as“e-mail-to-other” format conversion) and delivery without significantlycompromising the integrity of the e-mail message content.

In accordance with one embodiment of the present invention, a system isprovided in which an e-mail message recipient is notified of, (1)receipt of an e-mail message; (2) the identity of the sender of thee-mail message; (3) the subject of the e-mail message; and (4) anindication of whether the e-mail message is encrypted. The recipient ofthe e-mail message then has the choice of either downloading the e-mailmessage on a secure machine at a later time or opening the e-mailmessage immediately by providing the system with the appropriatedecryption key. According to this embodiment, the shared secret or SDAencryption method and the e-mail-to-other format techniques areintegrated into a system that allows an e-mail message recipient tosimultaneously retrieve encrypted e-mail messages and convert them intoa format so they can be displayed readily by or on various types ofdevices.

In accordance with another embodiment of the present invention, a systemis provided in which an e-mail message recipient is notified, either byhis normal e-mail provider or by a previously arranged proxy server, ofreceipt of an e-mail message; the sender's identity; a subject of themessage; and an indication of whether the message is encrypted. Therecipient then has the choice of either downloading the message on asecure machine at a later time, further encrypting the message using hisown public key, deleting the message or having the system process themessage using one or more of any available e-mail-to-other formattechniques that will deliver the e-mail message to the recepient in asecure way without requiring access from the recipient's securecomputer.

In accordance with yet another embodiment of the present invention, asystem is provided in which an e-mail message recipient is notified,either by his normal e-mail provider or by a previously arranged proxyserver, of receipt of an e-mail message; the sender's identity; asubject of the message; and an indication of whether the message isencrypted. The recipient then has the choice of either downloading themessage on a secure machine at a later time or opening the messageimmediately by using one respective private key corresponding to one ofa variety of public keys used to encrypt the message, as discussed inmore detail below.

BRIEF DESCRIPTION OF THE DRAWINGS

The object and features of the present invention will become morereadily apparent from the following detailed description of thepreferred embodiments taken in conjunction with the accompanyingdrawings in which:

FIG. 1 is a diagrammatic view of a first embodiment of the presentinvention.

FIG. 2 is a diagrammatic view of a second embodiment of the presentinvention.

FIG. 3 is a diagrammatic view of a third embodiment of the presentinvention.

FIG. 4 is a diagrammatic view of a fourth embodiment of the presentinvention.

FIG. 5 is a diagrammatic view of a fifth embodiment of the presentinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Several embodiments of the present invention are discussed in detailbelow. While specific configurations are discussed, it should beunderstood that the specific embodiments discussed are for illustrationpurposes only. A person skilled in the relevant art will recognize thatother components and configurations may be used without departing fromthe spirit and scope of the invention. For example, although some of thepresented embodiments include a proxy that is located at or near thee-mail server, it is recognized that the functionality of the proxycould also be performed as a client application, e.g., on eachrecipient's computer.

Embodiment 1

In accordance with a first embodiment of the present invention, inreference to FIG. 1, the sender 10 of an encrypted e-mail message sendsthe message, along with any corresponding attachment(s), through theInternet 20, or some other similar network, to the intended recipient'se-mail server 30. Upon receipt of the encrypted e-mail message by therecipient's e-mail server 30, the recipient 40 is alerted by activationof an audible and/or visual notification 45. Further, within thenotification message 47, passed on by the e-mail server 30, the e-mailserver 30 informs the recipient 40 of: (1) the identity of the sender ofthe e-mail message, (2) the subject of the e-mail message, and (3)whether the content of the e-mail message is encrypted.

Recipient 40 then has the choice of deferring retrieval of the messageto a later time when the recipient can conveniently connect in thestandard method, e.g., using a secure machine 50 connected to his e-mailserver 30, where he can decrypt the encrypted message 57 locally, orretrieving the message immediately by sending a password or sharedsecret 55 to the e-mail server 30 and receiving the decrypted e-mailmessage 58 from the e-mail server. As represented by the thick dashedline 48 connecting the recipient 40 to the recipient's secure machine50, if the recipient decides to defer message retrieval until a latertime, he will need to travel to the location of the secure machine 50,and cannot retrieve the message remotely, as is possible in accordancewith the the invention.

The password, or shared secret 55, can be provided by the recipient tothe e-mail server using a variety of different methods. For example;

-   By Dual Tone Multi-Frequency (DTMF)—either an entirely numerical    password, or by spelling out words on an alphanumeric keypad;-   By Voice Recognition—using voice recognition technology to recognize    the password; or,-   By Mobile Originated Short Message—the recipient would send a short    message to the system containing the password.

The present embodiment can be further enhanced by using a voiceauthentication method to ensure that the person attempting retrieval ofthe message is indeed the intended recipient 40. For obvious reasons, avoice authentication method is preferably performed in the e-mail server30, which would likely be a dedicated server that is part of the totalsystem, prior to accepting the password, or shared secret 55. This isalso known as a question mechanism. An advantage associated with theabove-mentioned technique is that it gives both the sender 10 and therecipient 40 control over which messages are retrieved, and when theyare retrieved. To provide further flexibility and an additional degreeof security, the parties may have two, or more, shared secrets, one fornormal confidentiality and one for highly confidential, or “top secret”material. Additionally, the parties can establish a shared secret for asingle particular transaction. Those skilled in the art would be able toderive other various techniques, such as phoning a help desk andoffering the password etc., for transferring the password 55 to thee-mail server 30 without venturing from the spirit of the presentinvention.

According to the present embodiment, an encrypted e-mail message isdelivered to the recipient's e-mail server in a completely secure methodsince it is encrypted. Then, the recipient is immediately notified ofreceipt of the message, e.g., via conventional cellular, or othercommunication methods, and the recipient has the option of providing theserver with the decryption key, or password, in order to have thedecrypted message converted into a proper format and transmitted to therecipient. The fact that the password is revealed to the server carriesa much lower risk than would otherwise be born since the password isonly shared with the server, directly from the recipient, and does notpass through various other machines where it is susceptible to beingintercepted. Also, as explained above, it is agreed by both parties,prior to the sender sending the message, that this level of risk isacceptable. Although the likelihood is remote, it is possible that thepassword would be intercepted by an unscrupulous third party,“listening” to the recipient's mobile communication channel, and used toattempt to decode additional e-mail messages directed to the recipient.However, this type of risk can be easily obviated by the partiesagreeing to change passwords either after each transmission or at leastoften enough to minimize the risk of having a third party obtain and usethe password.

Although the present embodiment has been described using cellulartechnologies, this embodiment, as well as other embodiments, is notlimited to the intended message recipient receiving the message viacellular technologies. For example, the message recipient could receivethe messages on a public computer where Internet browsing is enabled.

Embodiment 2

In accordance with a second embodiment of the present invention, inreference to FIG. 2, the e-mail server 30 with e-mail-to-other formatcapability (acting as the intended recipient's home mailbox) provides afacility known as the recipient's “Proxy” 60. As indicated by the dottedline 25, Proxy 60 typically is operable to communicate via the Internet20. The Proxy 60 maintains a private/public key pair to be used in theevent the recipient 40 receives an encrypted e-mail message and,further, the proxy 60 can be located virtually anywhere. For example,proxy 60 can be located at the recipient's e-mail server 30 or it can belocated in an entirely different location. The private key 63 is kept ina secure fashion in an area of the Proxy 60 identity that isunaccessible to unauthorized users and, if desired, can itself beencrypted with a password known only by the recipient 40.

When first establishing the Proxy 60, the recipient 40 applies for a keypair. Subsequently, after the key pair has been established, therecipient 40 encrypts the private key with yet another password usingany of a variety of different known techniques, and transfers theencrypted private key to the system to act as his Proxy 60. The sender10, wishing to send an e-mail message to the recipient 40 chooseswhether to have the server 30 send the e-mail message directly to therecipient's secure machine 50 (using a dedicated key pair and e-mailaddress), thereby guaranteeing maximum security but preventing therecipient 40 from receiving the e-mail message in any e-mail-to-otherformat method, or sending the e-mail message to the Proxy 60 with apriori knowledge that the Proxy 60 is a reasonably secure alias for therecipient.

As mentioned previously in connection with the first embodiment, asrepresented by the thick dashed line 48 in FIG. 2, connecting recipient40 and secure machine 50, if the recipient decides to defer messageretrieval until a later time, when he can retrieve and decrypt themessage in a more secure manner on secure machine 50, he must physicallygo to the location of secure machine 50. The sender 10 would typicallybe aware that sending the encrypted e-mail message to the Proxy 60allows the recipient 40 to receive the e-mail message in a variety offormats but that sending the e-mail message to the Proxy 60 and usingthe private key 63 to decrypt its contents is ultimately slightly lesssecure than sending the e-mail message directly to the recipient'ssecure machine 50. Of course, the use of a proxy, as described withrespect to this embodiment, is not limited to a private/public keyscheme. Other encryption/decryption methods, such as the shared secretscheme discussed above, may also be used with the proxy.

The recipient 40 can enhance the security of the Proxy 60 by defining aseries of rules limiting the e-mail message traffic allowed to enter theProxy 60. For example, rules could be established in the Proxy whereonly e-mail messages from certain specified senders would be accepted.Further, messages of a specified length, with a specified subject, sentduring a specified time and/or sent from certain e-mail hosts, can beeither deleted upon receipt or transferred directly to the recipient'ssecure system, i.e., the system where decryption can be carried outwithout the need for transmitting the password or key information overanother network or through another, third party, machine. Accordingly,the recipient is afforded reasonable control over messages that he iswilling to accept in this fashion.

If the incoming e-mail message meets the restrictions imposed by therecipient's rules, the e-mail message will be accepted by the Proxy andthe recipient will be informed by the system that an encrypted e-mailmessage has been received by the Proxy. The recipient will also beinformed of certain characteristics corresponding to the e-mail message,such as sender's identity, subject, length, whether there is anyattachments, etc. The recipient then instructs the Proxy 60 to encryptthe message further, using his own public key or, possibly, instructsthe Proxy to delete the message.

In accordance with the present embodiment, after determining whether toretrieve the e-mail message, the recipient 40 decides whether toretrieve the message via his own secure system 50, or whether toinstruct the Proxy 60 to decrypt and process the message using one ofthe e-mail-to-other format methods. If the recipient 40 decides to havethe Proxy 60 send him the decrypted e-mail message, the Proxy thenrequests the necessary password 55 from the recipient 40 to decode theprivate key. If the password is accepted by the proxy 60 the message isdecrypted 65 and delivered to the recipient 40 in the specified format.

As mentioned in regard to the previous embodiment, the password can beoffered using a variety of methods:

-   By Dual Tone Multi-Frequency (DTMF)—either an entirely numerical    password, or by spelling out words on an alphanumeric keypad;-   By Voice Recognition—using voice recognition technology to recognize    the password; or,-   By Mobile Originated Short Message—the recipient would send a short    message to the system containing the password.

These methods could be further enhanced by using voice authenticationmethods to ensure that the party acting on behalf of the recipientindeed has the authority to do so. For example, voice codes could bestored within the Proxy 60 and prior to accepting any password 55 from aparty attempting to act on behalf of the recipient 40, the party's voicecould be checked against the stored voice codes to verify authorization.Other, seemingly simpler methods, may also be employed, such as achallenge request where a user is asked to answer a question to whichonly the user knows the answer, e.g., the maiden name of the user'smother. Of course, these techniques apply equally to the otherembodiments discussed herein as well.

Upon receipt of the authorized password 55, the Proxy 60 accesses thearea that is unaccessible to unauthorized users, requests the decryptedprivate key and uses the decrypted key to retrieve/decrypt the encryptede-mail message 57. Using the required e-mail-to-other format method toconvert the message to the format required by the recipient at thattime, i.e., voice for a receiving the message over a cellular telephone,facsimile data for receiving the e-mail message over facsimile machine,etc., the Proxy 60 then delivers the formatted, decrypted message 65 tothe recipient 40.

On the other hand, if the incoming e-mail message fails to meet thecriteria established by the recipient in the Proxy 60, a variety ofoptions can be employed by the recipient 40. For example, the e-mailmessage can be immediately rejected and a notice sent by the SystemAdministrator of server 30 indicating that the e-mail message was sentto the Proxy 60 and, further, requesting that the sender 10 use therecipient's personal public key to encode the message and send it to therecipient's secure e-mail address on secure machine 50. Alternatively,in the Proxy 60, the e-mail message and/or its attachment(s) can beencrypted if it has not yet been encrypted, or it can be furtherencrypted if it has already been encrypted by the sender 10. Becausethis particular encryption is performed within the Proxy 60, therecipient's public key, which was stored in the Proxy when the Proxy wasinitialized, as discussed previously, can be used. The encrypted, orfurther encrypted, e-mail message is then stored in the recipient'ssecure e-mail message inbox 50 or in the recipient's Proxy e-mailmessage inbox 60. Accordingly, the encrypted e-mail message can only bedecoded by the recipient using his own private key.

An advantage associated with the present, second, embodiment is that,similar to the first embodiment described above, it provides both thesender 10 and the recipient 40 control over which messages areretrieved, how they are received, and when. Additionally, furtherprotection is provided for e-mail messages retrieved using a system inaccordance with the second embodiment since the recipient 40 canrestrict which messages are accepted in the Proxy account. Also, asender can choose to send or not send a message to the Proxy. Also thepassword is never transmitted over the air, it is not disclosed at thepoint of requirement but is set up in advance—possibly months earlier.

In accordance with this embodiment, the message is delivered to therecipient's e-mail provider 30 in a manner that is completely secure.This mechanism could be further enhanced with a password selectionmechanism that offers single-use, randomly distributed, passwords,discussed later. The fact that the password is revealed to the systemcarries minimum risk because, as explained previously, it is furtherprotected and, ultimately, is part of the working practice of thesystem. Furthermore, the recipient could frequently change the key pairand he could also change the password required to access the private keyeven more frequently. Accordingly, it would be virtually impossible tointercept and decode encrypted e-mail messages unless the interceptorhad the precise key at the precise time and he also was able to gainauthorization for supplying the key by getting around the voicerecognition, password, or other such authorization system employed.

Embodiment 3

According to a third embodiment of the invention, a special CertificateAuthority system is established in a system similar to that ofembodiment 2 where a private key 64 is stored by an independent thirdparty 70 that is unrelated to the e-mail operator 30. It should be notedthat the third party 70 can be located in any location and often can beadvantageously located in a jurisdiction, legal or otherwise, that isdifferent than the jurisdiction of either the sender 10, the recipient40, or any of the other system components. Referring to FIG. 3, uponreceipt of an encrypted e-mail message 57 by the recipient's Proxy 60,the recipient 40 can then decide to accept or reject the e-mail message.If the recipient decides to accept the e-mail message, the decryptede-mail message, decrypted using the private key, is retrieved from thethird party 70 as described below.

Retrieval of the decrypted e-mail message from the third party 70 can beachieved in several ways. For example, the recipient 40 can provide thepassword 55 used to decrypt the private key, using any of the variety ofmethods previously discussed, as well as any other appropriate method.Other appropriate methods include techniques such as querying a seriesof identifying questions where the predefined answers are known only tothe recipient, as discussed above, or voice authentication. Results ofthese security checks are then forwarded to the third party 70, alongwith the encrypted e-mail message 61 a if the security check results inauthorization being granted. The third party decrypts the e-mail messageusing the Proxy's private key 64. The plain text message, for example,would then be encrypted using the e-mail provider's public key and thensent back to the proxy 62. The proxy then uses its own private key 63 todecrypt the message into a plain text message. This plain text messagecan then be used to perform the required e-mail-to-other formatconversion and send the message to recipient 40 as a decrypted message65.

The e-mail provider 30 can provide the recipient 40 with a uniqueidentifier 45 b for the e-mail message and would also forward theencrypted e-mail message to the third party 61 b via the proxy 60. Therecipient 40 can access his account at the third party himself 61 c,using any of the variety of methods listed above or other appropriatemethods such as a series of identifying questions, etc.

The encrypted e-mail is supplied to the third party together with anidentifier. Upon authorization (described below) the third party decodesthe e-mail message and passes it back to the e-mail server 30.

The recipient 40 also supplies the unique identifier relating to thee-mail message 61 c. The third party 70 decrypts the e-mail messageusing the recipient's Proxy private key. This decrypted e-mail messageshould be protected. Protection methods include using the e-mailserver's public private key (as described below), using a dedicated,secure communications channel, using a VPN (virtual private network),not shown, to establish a secure channel in an otherwise publicInternet, or by any other appropriate methods.

The plain text message is then encrypted using the e-mail provider'spublic key and the message is sent back to the e-mail provider. Thee-mail provider then uses its own private key to decrypt the messageinto a plain text message. This plain text message could then be used toperform the required e-mail-to-other format conversion as desired.

It is important to note that the private key or shared password is nevermade available to the e-mail server. Also the methods describedelsewhere to increase security by changing passwords are equallyapplicable here.

In accordance with this embodiment of the invention, even though theadditional procedures make the present embodiment more complex than theembodiments previously described, the additional procedures provideincreased security to the system. The private key is never known to theoperator, and the recipient has the choice of supplier of the privatekey. The supplier of the private key can be a well-trusted third partyor it can even be a separate machine that is under the control of therecipient, such as his corporate e-mail server.

In the event an encrypted message is compromised, e.g., for some reasona third party was able to intercept the recipient's key pair and decryptthe encrypted e-mail message, the degree to which the system iscompromised is limited to that single particular message. This isprimarily the case in the single-use key situation. As previouslydescribed, there is a degree of control over even this risk due to thefiltering on the Proxy 60 and the sender's choice to use the Proxy 60and not the recipient's secure machine 50. Also, time expiration methodsare inherent within the certificate schemes. It is assumed that theproxy methods described herein will include frequent changes ofpasswords possibly even to the extent of a single-use password.

A system operating under a PKI has several options that affect the levelof security (specifically key length); some of these are restricted bylaw in some jurisdictions. The methods in accordance with theembodiments of the present invention are independent of any singleparticular implementation. The afforded security is primarily a functionof the PKI implementation together with the unique adaptations providedby the present invention.

The present embodiment comprises merging Public Key Infrastructure (PKI)techniques with e-mail-to-other format methods. This merger allows thebenefits of the inherent security of PKI together with the mobilityenhancements offered by the e-mail-to-other format services. Again,presently, there exists no method that allows secure access to e-mailmessages without the direct use of the recipient's PC, or some otherdedicated machine with sufficient processing power. As mentioned abovein regard to embodiment 1, the invention is not limited to cellulartechnologies, other mechanisms, such as public Internet browsers, etc.,can be used to access messages.

Embodiment 4

In accordance with a fourth embodiment of the present invention,referring to FIG. 4, an e-mail server 30 with e-mail-to-other formatcapability, and acting as the intended recipient's home mailbox, similarto the second embodiment, also provides a facility that may be regardedas the recipient's “Proxy” 60.

When first establishing the Proxy 60, the recipient 40 typically appliesfor a key pair in the normal fashion, as discussed previously. Therecipient 40 then encrypts the private key using another password (asalready discussed, a variety of techniques are possible) and transfersthe encrypted key to the facility acting as the recipient's Proxy 60. Inaccordance with this embodiment, the process of establishing a key pairand encrypting the private key is repeated an arbitrary number of timesto establish several secure key pairs. Each private key can be storedwith a different access password in an area of the Proxy 60 that isunaccessible to unauthorized users.

When a sender 10 attempts to look-up the recipient's Proxy 60 in orderto obtain the certificate, the sender 10 randomly receives one of thepublic keys with a short expiration time, i.e., several minutes,together with a notice explaining the short expiration time. The Proxy60 can be the recipient's CA, however, this is not required. Once apublic key is issued to the sender 10, that particular public-privatekey pair is disabled and not issued again.

As an enhancement, a system in accordance with this embodiment can bemodified slightly so that the key pairs are not generated in advance,but rather on demand when the sender 10 attempts to look-up therecipient Proxy's certificate. In this situation, the single-use privatekey would be stored on the system. Accordingly, there is a trade-offbetween ease of use and a reduction in the protection afforded by theprivate key.

When the e-mail message is ultimately received, a time stamp that istypically included in the message overhead is checked to ensure that themessage was originated in the short time window allowed by thecertificate. If the time stamp indicates that the message originatedoutside the allotted time, the message is discarded. If the sender 10wishes to send an e-mail message to the recipient 40, she would have thechoice of sending the e-mail message directly to the recipient's securemachine 50, thereby guaranteeing maximum security but preventing therecipient from receiving the e-mail message in any e-mail-to-otherformat. Alternatively, the sender 10 can choose to send the e-mailmessage 57 to the recipient's Proxy 60 with a priori knowledge that thisis a fairly secure alias for the recipient which allows the recipient 40to receive e-mail messages in a variety of formats.

Similar to the second embodiment, discussed above, the recipient canenhance the security of the Proxy 60 by defining a series of rules; forexample only certain senders would be accepted, messages of a certainlength, with a certain subject, sent at certain time, from certaine-mail hosts, margin allowed on the time window, etc. This allows therecipient reasonable control over messages that he is willing to acceptin this fashion.

If the incoming e-mail message meets the restrictions imposed by therecipient, the e-mail message will be accepted and the recipient will beinformed by the system that an encrypted e-mail message has beenreceived by the Proxy 60. The message will inform the recipient of thecharacteristics of the e-mail message and which key pair is used (basedon time or other means). The recipient then instructs the Proxy 60 toencrypt the message further, using his own public key or, possibly,instructs the Proxy to delete the message.

In accordance with the present embodiment, after determining whether toretrieve the e-mail message, the recipient 40 then decides whether toretrieve the message via his own secure system 50, or whether toinstruct the Proxy 60 to decrypt and process the message using one ofthe e-mail-to-other format methods. If the recipient 40 decides to havethe Proxy 60 send him the decrypted e-mail message, the Proxy thenrequests the necessary password 55 from the recipient 40 to decode theprivate key. If the password is accepted by the proxy 60 the message isdecrypted 65 and delivered to the recipient 40 in the specified format.

As mentioned in regard to the previous embodiment, the password can beoffered using a variety of methods:

-   By Dual Tone Multi-Frequency (DTMF)—either an entirely numerical    password, or by spelling out words on an alphanumeric keypad;-   By Voice Recognition—using voice recognition technology to recognize    the password; or,-   By Mobile Originated Short Message—the recipient would send a short    message to the system containing the password.

These methods could be further enhanced by using voice authenticationmethods to ensure that the party acting on behalf of the recipientindeed has the authority to do so. For example, voice codes could bestored within the Proxy 60 and prior to accepting any password 55 from aparty attempting to act on behalf of the recipient 40, the party's voicecould be checked against the stored voice codes to verify authorization.Another technique that can be used is the challenge, or questionmechanism, where a response to a particular question is solicited. Thequestion being one to which only the user knows the answer.

Upon receipt of the authorized password 55, the Proxy 60 accesses thearea unaccessible to unauthorized users and requests the decryptedprivate key and uses the decrypted key to retrieve the encrypted e-mailmessage. Using the required e-mail-to-other format method to convert themessage to the format required by the recipient at that time, i.e.,voice for a receiving the message over a cellular phone, facsimile datafor receiving the e-mail message over facsimile machine, etc., the Proxy60 then delivers the formatted, decrypted message 65 to the recipient40.

On the other hand, if the incoming e-mail message fails to meet therecipient's criteria, established in the Proxy 60, a variety of optionscan be employed by the recipient 40. For example, the e-mail message canbe immediately rejected and a notice sent by the System Administrator ofserver 30 indicating that the e-mail message was sent to the Proxy 60and, further, requesting that the sender 10 use the recipient's personalpublic key to encode the message and send it to the recipient's securee-mail address on secure machine 50. Alternatively, in the Proxy 60, thee-mail message and/or its attachment(s) can be encrypted if it has notyet been encrypted, or it can be further encrypted if it has alreadybeen encrypted by the sender 10. Because this particular encryption isperformed within the Proxy 60, the recipient's public key, which wasstored in the Proxy when the Proxy was initialized, as discussedpreviously, can be used. The encrypted, or further encrypted, e-mailmessage is then stored in the recipient's secure e-mail message inbox 50or in the recipient's Proxy e-mail message inbox 60. The encryptede-mail message can now only be decoded by the recipient using his ownprivate key, as distinguished from the slightly less secure proxy,private key.

An advantage associated with the present, fourth, embodiment is that,similar to the first embodiment described above, it provides both thesender 10 and the recipient 40 control over which messages areretrieved, how they are received, and when. Additionally, furtherprotection is provided for e-mail messages retrieved using a system inaccordance with the second embodiment since the recipient 40 canrestrict which messages are accepted in the Proxy account. Also, asender can choose to send or not send a message to the Proxy. Oneimportant advantage achieved by the present embodiment different fromthe other embodiments is that there are many single use time restrictedkey pairs.

Embodiment 5

Referring to FIG. 5, according to a fifth embodiment, a specialCertificate Authority system is established in a system similar to thesystem of embodiment 3 where the private key is stored by an independentthird party 70 that is unrelated to the e-mail operator 30. This thirdparty, like the one described in embodiment 3, can be located in adifferent legal jurisdiction.

In accordance with this embodiment, the process of establishing a keypair and encrypting the private key is repeated an arbitrary number oftimes to establish several secure key pairs. Each private key can bestored with a different access password in an area of the Proxy 60 notaccessible to unauthorized users.

When a sender 10 attempts to look up the recipient's Proxy 60 in orderto obtain the certificate, the sender 10 randomly receives one of thepublic keys with a short expiration time, i.e., several minutes,together with a notice explaining the short expiration time. Once apublic key is issued to the sender 10, that particular public-privatekey pair is disabled and not issued again.

As an enhancement, a system in accordance with this embodiment can bemodified slightly so that the key pairs are not generated in advance,but rather on demand when the sender 10 attempts to look-up therecipient's Proxy's certificate. In this situation, the single-useprivate key would be stored on the system. Accordingly, there is atrade-off between ease of use and a reduction in the protection affordedby the private key.

When the e-mail message is ultimately received, a time stamp that istypically included in the message overhead is checked to ensure that themessage was originated in the short time window allowed by thecertificate. If the time stamp indicates that the message originatedoutside the allotted time, the message is discarded. If the sender 10wishes to send an e-mail message to the recipient 40, she would have thechoice of sending the e-mail message directly to the recipient's securemachine 50, thereby guaranteeing maximum security but preventing therecipient from receiving the e-mail message in any e-mail-to-otherformat. Alternatively, the sender 10 can choose to send the e-mailmessage 57 to the recipient's Proxy 60 with a priori knowledge that thisis a fairly secure alias for the recipient which allows the recipient 40to receive e-mail messages in a variety of formats.

Upon receipt of an encrypted e-mail message 57 by the recipient's Proxy60, the recipient 40 can then decide to accept or reject the e-mailmessage. If the recipient chooses to accept the e-mail message, thedecrypted e-mail message, decrypted using the private key, is retrievedfrom the third party 70.

This retrieval can be achieved in several ways. For example, therecipient 40 could provide the password used to decrypt the private key,using any of the variety of methods listed above, as well as any otherappropriate method. Other appropriate methods include techniques, suchas, querying a series of identifying questions where the predefinedanswers are known only to the recipient, or voice authentication.Results of these security checks are then forwarded to the third partytogether with the encrypted e-mail message 61 a. The third party woulddecrypt the e-mail message using its corresponding private key. Theplain text message would then be encrypted using the e-mail messageprovider's public key and then sent back to the e-mail message provider62. The e-mail provider would then use its own private key to decryptthe message into a plain text message. This plain text message couldthen be used to perform the required e-mail-to-other formatconversion.65

The e-mail provider 30 can provide the recipient 40 with a uniqueidentifier for the e-mail message and would also forward the encryptede-mail message to the third party 61 b. The recipient 40 could accesshis account at the third party himself 61 c using any of the variety ofmethods listed above or other appropriate methods such as a series ofidentifying questions, etc.

The recipient 40 also supplies the unique identifier relating to thee-mail message. The third party decrypts the e-mail message using therecipient's Proxy private key. This decrypted e-mail should beprotected. Protection methods include using the e-mail server's publicprivate key (as described below), using a dedicated, securecommunications channel, using a VPN (virtual private network) toestablish a secure channel in an otherwise public Internet, or by anyother appropriate methods.

The plain text message is then encrypted using the e-mail provider'spublic key and the message is sent back to the e-mail provider 62. Thee-mail provider then uses its own private key to decrypt the messageinto a plain text message. This plain text message could then be used toperform the required e-mail-to-other format conversion as desired 65.

In accordance with this enhancement to the present embodiment of theinvention, even though the additional procedures make the overallprocedure more complex, they add increased security to the system. Theprivate key is never known to the operator, and the recipient has thechoice of supplier of the private key. The supplier of the private keycan be a well-trusted third party or it can even be a separate machinethat is under the control of the recipient, such as his corporateserver.

In the event an encrypted message is compromised, i.e., for some reasona third party was able to intercept the recipient's key pair and decryptthe encrypted e-mail message, the degree to which the system iscompromised is limited to that one particular message. As previouslydescribed, there is a degree of control over even this risk due to thefiltering on the Proxy 60 and the sender's choice to use the Proxy 60and not the recipient's secure machine 50.

A system operating under a PKI has several options that affect the levelof security (specifically key length); some of these are restricted bylaw in some jurisdictions. The methods in accordance with theembodiments of the present invention are independent of particularimplementation. The afforded security is primarily a function of the PKIimplementation together with the unique adaptations provided by thepresent invention.

The fifth embodiment, similar to the second embodiment described above,comprises merging Public Key Infrastructure (PKI) techniques withe-mail-to-other format methods. This merger allows the benefits of theinherent security of PKI together with the mobility enhancements offeredby the e-mail-to-other format services. However, the third party 70 isestablished with a predefined number of private-public key pairs, eachprotected by a respective password or access code. In this manner, therecipient can use each key pair once, thereby increasing the security ofthe system even further.

Also, in accordance with a further embodiment of the invention, when apublic/private key pair is established, the public key is obtained bythe sender through standard methods, as described previously, however,the private key is held by a Certificate Authority (CA) who maintainsthe security of the private key. The CA issues short-term “licenses” touse the private key, to specified users, upon receipt of anauthorization grant provided by the recipient. The authorization grantis provided to the CA via a phone call or any other appropriate methodas described previously. Further, the specified users of the short-termlicenses include the recipient's own machine and/or the recipient'sproxy. As mentioned above in regard to embodiment 1, the invention isnot limited to cellular technologies, other mechanisms, such as publicInternet browsers, etc., can be used to access messages.

A further enhancement that applies equally to all embodiments of thepresent invention involves having the sender specify in the transmittedmessage whether or not the message can be converted into another format,other than the format of the transmitted message, i.e., e-mail-to-otherconversion. Also, the sender can be given the capability to generate apassword, either randomly or by user input, and send the password to theintended recipient of the message. It is favorable to send the passwordto the recipient in an “out-of-band” method, such as by separateelectronic message or by a forced phone message. Out-of-Band techniquesare employed to provide security against outside persons, or machines,intercepting both the encrypted message and the password that can beused to invoke decryption.

1. An electronic message retrieval system comprising: a sender operableto transmit an encrypted electronic message, directed to a mobile deviceof a specified recipient, over a transmission medium; a messageretrieval device associated with the specified recipient operable toreceive the encrypted electronic message and provide a notificationmessage to the mobile device indicating receipt of the encryptedelectronic message by the message retrieval device; wherein said mobiledevice being operable to receive the notification message from saidmessage retrieval device and in response thereto provide a secretpassword to said message retrieval device to initiate decryption of theencrypted electronic message, wherein said message retrieval device isfurther operable to convert the decrypted electronic message into aformat that is compatible with the mobile device, and to transmit theconverted decrypted electronic message to the mobile device.
 2. Anelectronic message retrieval system as claimed in claim 1, wherein theformat includes at least one of an audible format, a facsimile format,and a text format.
 3. An electronic message retrieval system as claimedin claim 1, wherein said message retrieval device comprises: a converterdevice operable to convert the format of the decrypted electronicmessage into a format recognized by the mobile device; and an outputunit from which the converted decrypted electronic message is providedto the mobile device.
 4. An electronic message retrieval system asclaimed in claim 3, wherein said sender encrypts the electronic messagein accordance with a specified electronic key and said message retrievaldevice decrypts the encrypted electronic message using said specifiedelectronic key.
 5. An electronic message retrieval system as claimed inclaim 1, further comprising: a password transmission unit operable totransmit a password to said specified recipient.
 6. An electronicmessage retrieval system as claimed in claim 5, further comprising: apassword transmission path through which the secret password istransmitted to said recipient's mobile device; and a messagetransmission path, different from said password transmission path,through which said decrypted electronic message is provided to therecipient's mobile device.
 7. An electronic message retrieval system asclaimed in claim 6, wherein said password is generated by the sender andcommunicated to the password transmission unit in a message differentfrom the encrypted electronic message.
 8. An electronic messageretrieval system as claimed in claim 1, wherein the mobile device is acell phone that is unable to decrypt the encrypted electronic message,and wherein a portion of said transmission medium is the Internet.
 9. Anelectronic message retrieval system as claimed in claim 1, wherein saidencrypted electronic message comprises an indication as to whether theencrypted electronic message can be converted into a different format.10. An electronic message retrieval system as claimed in claim 3,further comprising: a secure device operable to receive and decrypt theencrypted electronic message, wherein said secure device is operable toreceive messages in the same format as the format of the decryptedelectronic message.
 11. An electronic message retrieval system asclaimed in claim 3, wherein said encryption is performed by the senderusing a publicly accessible key associated with the recipient.
 12. Anelectronic message retrieval system as claimed in claim 3, wherein saidmobile device is operable to receive messages in a format different fromthe format of the decrypted electronic message.
 13. An electronicmessage retrieval system comprising: a sender operable to transmit anencrypted electronic message to a mobile device of a specified recipientthat is unable to decrypt the encrypted electronic message; a messageretrieval device operable to receive the encrypted electronic messageand provide a notification message to the mobile device when theencrypted electronic message is received by the message retrievaldevice, wherein said mobile device is operable to receive messages in aformat different from the format of the encrypted electronic message,said message retrieval device comprising; a decryption device operableto decrypt the encrypted electronic message upon receipt of a passwordfrom the mobile device; a converter device operable to convert thedecrypted electronic message into a format recognized by the mobiledevice; said electronic message retrieval system further comprising; asecure device operable to receive and decrypt the encrypted electronicmessage, wherein said secure device is operable to receive messages inthe same format as the format of the encrypted electronic message. 14.An electronic message retrieval method comprising: sending an encryptedelectronic message over a communication network to a recipient's messageretrieving device; notifying a recipient's mobile device of receipt ofthe encrypted electronic message; determining whether to defer retrievalof the encrypted electronic message or retrieve the encrypted electronicmessage immediately on the recipient's mobile device; and if it isdetermined that retrieval of the encrypted electronic message is to bedeferred, receiving and decrypting said encrypted electronic message ona secure machine associated with the recipient; or if it is determinedthat retrieval of the encrypted electronic message is to be performedimmediately, providing a password to the recipient's message retrievingdevice to render the recipient's message retrieving device operable todecrypt the encrypted electronic message, and converting the decryptedelectronic message into a format compatible that is compatible with therecipient's mobile device.
 15. An electronic message retrieval systemcomprising: a sender operable to transmit an encrypted electronicmessage over a communication network directed to a specified recipient'smobile device that is unable to decrypt the encrypted electronicmessage; a message retrieval device operable to receive the encryptedelectronic message and provide a notification message to the mobiledevice when the encrypted electronic message is received by the messageretrieval device; a proxy device operable to receive the encryptedelectronic message from the message retrieval device when therecipient's mobile device provides a proxy instruction to said messageretrieval device and operable to decrypt and transmit a decryptedelectronic message to said recipient's mobile device when the recipientprovides a password to said proxy device.
 16. An electronic messageretrieval system as claimed in claim 15, wherein said proxy decryptssaid encrypted electronic message by using a private key securely storedon said proxy.
 17. An electronic message retrieval system as claimed inclaim 15, said proxy device comprising: a decryption device operable todecrypt an encrypted private key associated with the recipient and alsodecrypt the encrypted electronic message, wherein the decryption deviceis activated upon receipt of a password; and a converter device operableto convert the decrypted electronic message into a format recognized bythe mobile device.
 18. An electronic message retrieval systemcomprising: a sender operable to transmit an encrypted electronicmessage over a communication network directed to a specified recipient'smobile device, wherein said encryption is performed using a publiclyaccessible key associated with the recipient; a message retrieval deviceoperable to receive the encrypted electronic message and provide anotification message to the recipient's mobile device when the encryptedelectronic message is received by the message retrieval device, whereinsaid recipient's mobile device is operable to receive messages in aformat different from the format of the encrypted electronic messagereceived by the message retrieval device; a proxy device operable toreceive the encrypted electronic message from the message retrievaldevice when the recipient provides a proxy instruction, said proxydevice comprising; a decryption device operable to decrypt an encryptedprivate key associated with the recipient and also decrypt the encryptedelectronic message, wherein the decryption device is activated uponreceipt of a password; and a converter device operable to convert thedecrypted electronic message into a format recognized by the mobiledevice; said electronic message retrieval system further comprising; asecure device operable to receive and decrypt the encrypted electronicmessage, wherein said secure device is operable to receive messages inthe same format as the format of the encrypted electronic message. 19.An electronic message retrieval system in accordance with claim 18,further comprising a third party authority operable to receive saidencrypted electronic message from said proxy device and decrypt theencrypted electronic message using a public key corresponding to saidproxy device.
 20. An electronic message retrieval system in accordancewith claim 19 wherein said third party authority is located in a legaljurisdiction other than a legal jurisdiction in which said recipient'smobile device is located.
 21. An electronic message retrieval system inaccordance with claim 19 wherein said third party authority is operableto receive a reference designation corresponding to said encryptedelectronic message along with said encrypted electronic message.
 22. Anelectronic message retrieval system in accordance with claim 21 whereinsaid third party authority is operable to receive said referencedesignation corresponding to said encrypted electronic message from saidspecified recipient and said decryption of said encrypted electronicmessage is controlled in accordance with the reference designationreceived from said specified recipient.
 23. An electronic messageretrieval method comprising: sending an encrypted electronic messageover a communication network to a recipient's message retrieving device,wherein said encryption is performed using a publicly accessible keyassociated with the recipient; alerting the recipient's mobile device ofthe receipt of the encrypted electronic message; determining based on amessage from the recipient's mobile device whether to defer retrieval ofthe encrypted electronic message or retrieve the encrypted electronicmessage immediately; and if it is determined that retrieval of theencrypted electronic message is to be deferred, receiving and decryptingsaid encrypted electronic message on a secure machine associated withthe recipient; or if it is determined that retrieval of the encryptedelectronic message is to be performed immediately, providing a passwordto a proxy device; decrypting, in said proxy device, a private encryptedkey associated with the recipient to render the proxy operable todecrypt the encrypted electronic message; and converting the electronicmessage into a format compatible with the recipient's mobile device froma format which is incompatible with the recipient's mobile device. 24.An electronic message retrieval system comprising: a sender operable totransmit an encrypted electronic message over a communication networkdirected to a specified recipient's mobile device, wherein saidencryption is performed using one of a plurality of publicly accessiblekeys associated with the recipient; a message retrieval device operableto receive the encrypted electronic message and provide a notificationmessage to the recipient's mobile device when the encrypted electronicmessage is received by the message retrieval device, wherein saidrecipient's mobile device is operable to receive messages in a formatdifferent from the format of the encrypted electronic message; a proxydevice operable to receive the encrypted electronic message from themessage retrieval device when the recipient provides a proxyinstruction, said proxy device comprising; a decryption device operableto decrypt a plurality of encrypted private keys associated with therecipient and also decrypt the encrypted electronic message, wherein thedecryption device is activated upon receipt of one of a plurality ofpasswords respectively associated with said encrypted private keys; aconverter device operable to convert the electronic message into aformat recognized by the recipient's mobile device; and said electronicmessage retrieval system further comprising; a secure device operable toreceive and decrypt the encrypted electronic message, wherein saidsecure device is operable to receive messages in the same format as theformat of the encrypted electronic message.
 25. An electronic messageretrieval method comprising: sending an encrypted electronic messageover a communication network to a recipient's message retrieving device,wherein said encryption is performed using one of a plurality ofpublicly accessible keys associated with the recipient; alerting therecipient's mobile device of the receipt of the encrypted electronicmessage; determining based on instructions from the recipient whether todefer retrieval of the encrypted electronic message or retrieve theencrypted electronic message immediately; and if it is determined thatretrieval of the encrypted electronic message is to be deferred,receiving and decrypting said encrypted electronic message on a securemachine associated with the recipient; or if it is determined thatretrieval of the encrypted electronic message is to be performedimmediately, providing one of a plurality of passwords to a proxydevice, said provided password being associated with the publiclyaccessible key used to encrypt the message; decrypting, in said proxydevice and upon receipt of said password, a private encrypted keyassociated with the publicly accessible key used to encrypt the messageto render the proxy operable to decrypt the encrypted electronicmessage; and converting the electronic message into a format compatiblewith the recipient's mobile device from a format which is incompatiblewith the recipient's mobile device.
 26. An electronic message retrievalsystem comprising: a sender operable to transmit an encrypted electronicmessage, directed to a specified recipient's mobile device, over atransmission medium; the recipient's mobile device being unable todecrypt the encrypted electronic message; a message retrieval deviceoperable to receive the encrypted electronic message and provide anotification message to the recipient's mobile device indicating thatthe encrypted electronic message has been received by the messageretrieval device, and to decrypt the encrypted electronic message; andwherein the recipient's mobile device is operable to receive saiddecrypted electronic message from said message retrieval device in aformat that is different from a format of the encrypted electronicmessage.